Skip to main content

Microsoft Windows MSMQ vulnerabilities affecting Security Center

April 25, 2023

Microsoft has released a fix for three high and critical security issues impacting the Microsoft Message Queuing (MSMQ) feature of Windows. Certain versions of Genetec™ Security Center enable and use this feature. And this is why the Microsoft patches must be applied as soon as possible to mitigate any risk of compromise.

Risk assessment

All three vulnerabilities affect systems running any version of Microsoft Windows with the MSMQ feature enabled. Successful exploitation of those vulnerabilities could lead to a denial-of-service and, in the case of CVE-2023-21554, remote code execution on the underlying host. Mitigating factors present on Streamvault™ appliances make only local exploitation possible. See the Affected products section below for more details.

The severity of the issues ranges from a CVSSv3.1 score of 7.5 to 9.8. For more details, please consult the Microsoft documentation associated with each vulnerability (CVE-2023-21554, CVE-2023-21769, CVE-2023-28302).

Details

The MSMQ feature of Windows is used by the Archiver role in Security Center for caching purposes and helps the role alleviate network instability when communicating with its database.

Recommendation

We recommend applying the Microsoft Windows security update of April 2023 as soon as possible.

Workarounds

If the Microsoft Windows security update of April 2023 cannot be applied in a timely fashion, then block access to port TCP 1801 (MSMQ) through the Windows firewall until the patch can be applied.

It’s also possible to disable the MSMQ service on the Windows machine on which no Archiver role is running. Disabling the MSMQ service on the Windows machine running any Archiver role is not recommended as it will prevent the video recording feature from working properly and cause data loss.

Affected products

Product

Affected

Details

Security Center 5.8 to 5.11

Yes

N/A

Security Center 5.8 to 5.11 running on Streamvault appliances

Yes, severity reduced

Windows image hardening done on Streamvault appliances caused MSMQ TCP port 1801 to be blocked by default. Therefore, local access is required to exploit vulnerabilities.


The Windows security update can be automatically downloaded and installed using the Genetec Update Service (GUS).

All other Security Center versions

No

Those Security Center versions aren’t enabling and using the MSMQ service

Security Center SaaS Edition

No

N/A

For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.